Many companies have been caught off guard by China’s new data laws, forcing them into hasty policy alterations. Helen Gu, general counsel of Weibo’s principal shareholder Sina Group, urges enterprises to take a more proactive approach to data governance
WITH THE GENERATION upon generation upgrading of internet technology, the pace at which data resources are transforming our way of life is quickening, empowering industrial upgrades while lending a hand to a new round of technological revolution.
It is precisely for this reason that the competition among platform enterprises around data rights and interests is heating up. How to effectively manage and use data resources lawfully collected by a platform are crucial issues in urgent need of resolution. This requires all social entities to jointly maintain and promote the improvement and development of enterprise data governance systems so as to give rise to a sound and orderly data element allocation mechanism, and ensure the sustainable and efficient operation of the data market.
IMPACT OF NEW FRAMEWORK
The Data Security Law (DSL), the Personal Information Protection Law (PIPL) and a series of complementary measures that have successively entered into effect have set a new roadmap for data governance by Chinese enterprises, providing a governance approach and measures that are in keeping with the new issues and challenges arising in the industry, and also establishing more definite guidelines and rules for the development of the industry.
The DSL, which entered into effect on 1 June 2021, establishes China’s dual governance logic of “protection + use” of data. It implements the overall national security approach, ensures the status of data as a fundamental strategic resource, and establishes the basic systems of administration of data by type and level, data security reviews, data security risk assessments, monitoring, early warning and emergency response.
It further stresses the equal importance of security and development, regulates data activities while promoting the reasonable and effective use of data in accordance with the law, and provides the regulatory backup for fully leveraging the roles of data as a fundamental resource and an engine of innovation.
The author argues that it is only by correctly understanding the macro purpose of the DSL that enterprises can veritably and effectively put in place data management systems and ensure the lawfulness and compliance of their various market actions.
The PIPL, which entered into effect on 1 November 2021, represents the first set of detailed rules, following the Civil Code, which protect personal information as an important civil right, providing greater specificity and operability in the following four areas:
- Setting “inform-consent” as the core rule of the protection of personal information. It establishes the validity of a user’s consent on the foundation of full notification by a platform, including “separate consent” and “written consent”, as well as the right to withdraw consent.
- Emphasising the prohibition on “big data-enabled price discrimination”. It specifies that a personal information processor that uses personal information for automated decision-making is required to ensure the transparency of such decision-making, and the fairness and impartiality of the outcome, and is prohibited from unreasonably treating individuals in a discriminatory manner in terms of transaction price and other such transaction conditions.
- Requiring strict measures to protect sensitive personal information. It requires that sensitive personal information be processed only if there is a specific purpose and sufficient necessity, if strict protection measures are taken, if the separate consent of the user is secured, and if a prior impact assessment is conducted. Furthermore, the law requires that the individual be fully informed of the necessity of processing such information, and its impact on his or her rights and interests.
- Strengthening the obligations of personal information processors. A personal information processor is the party with chief responsibility for the protection of personal information, is liable for its personal information processing activities, and is required to take the measures necessary to ensure the security of the personal information that it processes. To that end, this law has a chapter that expressly sets out the obligations of compliant management and ensuring the security of personal information borne by personal information processors.